diff options
| author | Dan Carpenter <dan.carpenter@oracle.com> | 2015-08-01 15:33:26 +0300 |
|---|---|---|
| committer | Ben Hutchings <ben@decadent.org.uk> | 2015-10-13 03:46:02 +0100 |
| commit | f3a66bdc88c3261f55b942453476e623056b92d9 (patch) | |
| tree | 63291c134355b22e3e6e28a677fbd73e15d1a64b /net | |
| parent | 6e3ae6256145b5597bee0296eb5fc384cd86aa3d (diff) | |
| download | kernel_samsung_smdk4412-f3a66bdc88c3261f55b942453476e623056b92d9.zip kernel_samsung_smdk4412-f3a66bdc88c3261f55b942453476e623056b92d9.tar.gz kernel_samsung_smdk4412-f3a66bdc88c3261f55b942453476e623056b92d9.tar.bz2 | |
rds: fix an integer overflow test in rds_info_getsockopt()
commit 468b732b6f76b138c0926eadf38ac88467dcd271 upstream.
"len" is a signed integer. We check that len is not negative, so it
goes from zero to INT_MAX. PAGE_SIZE is unsigned long so the comparison
is type promoted to unsigned long. ULONG_MAX - 4095 is a higher than
INT_MAX so the condition can never be true.
I don't know if this is harmful but it seems safe to limit "len" to
INT_MAX - 4095.
Fixes: a8c879a7ee98 ('RDS: Info and stats')
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Diffstat (limited to 'net')
| -rw-r--r-- | net/rds/info.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/net/rds/info.c b/net/rds/info.c index f1c016c..a4adb39 100644 --- a/net/rds/info.c +++ b/net/rds/info.c @@ -176,7 +176,7 @@ int rds_info_getsockopt(struct socket *sock, int optname, char __user *optval, /* check for all kinds of wrapping and the like */ start = (unsigned long)optval; - if (len < 0 || len + PAGE_SIZE - 1 < len || start + len < start) { + if (len < 0 || len > INT_MAX - PAGE_SIZE + 1 || start + len < start) { ret = -EINVAL; goto out; } |